| 1 | The following changes since commit 61c265f0660ee476985808c8aa7915617c44fd53: | 1 | The following changes since commit 67c1115edd98f388ca89dd38322ea3fadf034523: |
|---|---|---|---|
| 2 | 2 | ||
| 3 | Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200313a' into staging (2020-03-13 10:33:04 +0000) | 3 | Merge remote-tracking branch 'remotes/kraxel/tags/ui-20210323-pull-request' into staging (2021-03-23 23:47:30 +0000) |
| 4 | 4 | ||
| 5 | are available in the Git repository at: | 5 | are available in the Git repository at: |
| 6 | 6 | ||
| 7 | https://github.com/stefanha/qemu.git tags/block-pull-request | 7 | https://gitlab.com/stefanha/qemu.git tags/block-pull-request |
| 8 | 8 | ||
| 9 | for you to fetch changes up to 4ab78b19189a81038e744728ed949d09aa477550: | 9 | for you to fetch changes up to 3460fd7f3959d1fa7bcc255796844aa261c805a4: |
| 10 | 10 | ||
| 11 | block/io: fix bdrv_co_do_copy_on_readv (2020-03-16 11:46:11 +0000) | 11 | migrate-bitmaps-postcopy-test: check that we can't remove in-flight bitmaps (2021-03-24 13:41:19 +0000) |
| 12 | 12 | ||
| 13 | ---------------------------------------------------------------- | 13 | ---------------------------------------------------------------- |
| 14 | Pull request | 14 | Pull request |
| 15 | 15 | ||
| 16 | This dirty bitmap fix solves a crash that can be triggered in the destination | ||
| 17 | QEMU process during live migration. | ||
| 18 | |||
| 16 | ---------------------------------------------------------------- | 19 | ---------------------------------------------------------------- |
| 17 | 20 | ||
| 18 | Vladimir Sementsov-Ogievskiy (1): | 21 | Vladimir Sementsov-Ogievskiy (2): |
| 19 | block/io: fix bdrv_co_do_copy_on_readv | 22 | migration/block-dirty-bitmap: make incoming disabled bitmaps busy |
| 23 | migrate-bitmaps-postcopy-test: check that we can't remove in-flight | ||
| 24 | bitmaps | ||
| 20 | 25 | ||
| 21 | block/io.c | 2 +- | 26 | migration/block-dirty-bitmap.c | 6 ++++++ |
| 22 | 1 file changed, 1 insertion(+), 1 deletion(-) | 27 | tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | 10 ++++++++++ |
| 28 | 2 files changed, 16 insertions(+) | ||
| 23 | 29 | ||
| 24 | -- | 30 | -- |
| 25 | 2.24.1 | 31 | 2.30.2 |
| 26 | 32 | diff view generated by jsdifflib |
| 1 | From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | 1 | From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> |
|---|---|---|---|
| 2 | 2 | ||
| 3 | Prior to 1143ec5ebf4 it was OK to qemu_iovec_from_buf() from aligned-up | 3 | Incoming enabled bitmaps are busy, because we do |
| 4 | buffer to original qiov, as qemu_iovec_from_buf() will stop at qiov end | 4 | bdrv_dirty_bitmap_create_successor() for them. But disabled bitmaps |
| 5 | anyway. | 5 | being migrated are not marked busy, and user can remove them during the |
| 6 | incoming migration. Then we may crash in cancel_incoming_locked() when | ||
| 7 | try to remove the bitmap that was already removed by user, like this: | ||
| 6 | 8 | ||
| 7 | But after 1143ec5ebf4 we assume that bdrv_co_do_copy_on_readv works on | 9 | #0 qemu_mutex_lock_impl (mutex=0x5593d88c50d1, file=0x559680554b20 |
| 8 | part of original qiov, defined by qiov_offset and bytes. So we must not | 10 | "../block/dirty-bitmap.c", line=64) at ../util/qemu-thread-posix.c:77 |
| 9 | touch qiov behind qiov_offset+bytes bound. Fix it. | 11 | #1 bdrv_dirty_bitmaps_lock (bs=0x5593d88c0ee9) |
| 12 | at ../block/dirty-bitmap.c:64 | ||
| 13 | #2 bdrv_release_dirty_bitmap (bitmap=0x5596810e9570) | ||
| 14 | at ../block/dirty-bitmap.c:362 | ||
| 15 | #3 cancel_incoming_locked (s=0x559680be8208 <dbm_state+40>) | ||
| 16 | at ../migration/block-dirty-bitmap.c:918 | ||
| 17 | #4 dirty_bitmap_load (f=0x559681d02b10, opaque=0x559680be81e0 | ||
| 18 | <dbm_state>, version_id=1) at ../migration/block-dirty-bitmap.c:1194 | ||
| 19 | #5 vmstate_load (f=0x559681d02b10, se=0x559680fb5810) | ||
| 20 | at ../migration/savevm.c:908 | ||
| 21 | #6 qemu_loadvm_section_part_end (f=0x559681d02b10, | ||
| 22 | mis=0x559680fb4a30) at ../migration/savevm.c:2473 | ||
| 23 | #7 qemu_loadvm_state_main (f=0x559681d02b10, mis=0x559680fb4a30) | ||
| 24 | at ../migration/savevm.c:2626 | ||
| 25 | #8 postcopy_ram_listen_thread (opaque=0x0) | ||
| 26 | at ../migration/savevm.c:1871 | ||
| 27 | #9 qemu_thread_start (args=0x5596817ccd10) | ||
| 28 | at ../util/qemu-thread-posix.c:521 | ||
| 29 | #10 start_thread () at /lib64/libpthread.so.0 | ||
| 30 | #11 clone () at /lib64/libc.so.6 | ||
| 10 | 31 | ||
| 11 | Cc: qemu-stable@nongnu.org # v4.2 | 32 | Note bs pointer taken from bitmap: it's definitely bad aligned. That's |
| 12 | Fixes: 1143ec5ebf4 | 33 | because we are in use after free, bitmap is already freed. |
| 34 | |||
| 35 | So, let's make disabled bitmaps (being migrated) busy during incoming | ||
| 36 | migration. | ||
| 37 | |||
| 13 | Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | 38 | Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> |
| 14 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
| 15 | Message-id: 20200312081949.5350-1-vsementsov@virtuozzo.com | ||
| 16 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 39 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
| 40 | Message-Id: <20210322094906.5079-2-vsementsov@virtuozzo.com> | ||
| 17 | --- | 41 | --- |
| 18 | block/io.c | 2 +- | 42 | migration/block-dirty-bitmap.c | 6 ++++++ |
| 19 | 1 file changed, 1 insertion(+), 1 deletion(-) | 43 | 1 file changed, 6 insertions(+) |
| 20 | 44 | ||
| 21 | diff --git a/block/io.c b/block/io.c | 45 | diff --git a/migration/block-dirty-bitmap.c b/migration/block-dirty-bitmap.c |
| 22 | index XXXXXXX..XXXXXXX 100644 | 46 | index XXXXXXX..XXXXXXX 100644 |
| 23 | --- a/block/io.c | 47 | --- a/migration/block-dirty-bitmap.c |
| 24 | +++ b/block/io.c | 48 | +++ b/migration/block-dirty-bitmap.c |
| 25 | @@ -XXX,XX +XXX,XX @@ static int coroutine_fn bdrv_co_do_copy_on_readv(BdrvChild *child, | 49 | @@ -XXX,XX +XXX,XX @@ static int dirty_bitmap_load_start(QEMUFile *f, DBMLoadState *s) |
| 26 | if (!(flags & BDRV_REQ_PREFETCH)) { | 50 | error_report_err(local_err); |
| 27 | qemu_iovec_from_buf(qiov, qiov_offset + progress, | 51 | return -EINVAL; |
| 28 | bounce_buffer + skip_bytes, | 52 | } |
| 29 | - pnum - skip_bytes); | 53 | + } else { |
| 30 | + MIN(pnum - skip_bytes, bytes - progress)); | 54 | + bdrv_dirty_bitmap_set_busy(s->bitmap, true); |
| 31 | } | 55 | } |
| 32 | } else if (!(flags & BDRV_REQ_PREFETCH)) { | 56 | |
| 33 | /* Read directly into the destination */ | 57 | b = g_new(LoadBitmapState, 1); |
| 58 | @@ -XXX,XX +XXX,XX @@ static void cancel_incoming_locked(DBMLoadState *s) | ||
| 59 | assert(!s->before_vm_start_handled || !b->migrated); | ||
| 60 | if (bdrv_dirty_bitmap_has_successor(b->bitmap)) { | ||
| 61 | bdrv_reclaim_dirty_bitmap(b->bitmap, &error_abort); | ||
| 62 | + } else { | ||
| 63 | + bdrv_dirty_bitmap_set_busy(b->bitmap, false); | ||
| 64 | } | ||
| 65 | bdrv_release_dirty_bitmap(b->bitmap); | ||
| 66 | } | ||
| 67 | @@ -XXX,XX +XXX,XX @@ static void dirty_bitmap_load_complete(QEMUFile *f, DBMLoadState *s) | ||
| 68 | |||
| 69 | if (bdrv_dirty_bitmap_has_successor(s->bitmap)) { | ||
| 70 | bdrv_reclaim_dirty_bitmap(s->bitmap, &error_abort); | ||
| 71 | + } else { | ||
| 72 | + bdrv_dirty_bitmap_set_busy(s->bitmap, false); | ||
| 73 | } | ||
| 74 | |||
| 75 | for (item = s->bitmaps; item; item = g_slist_next(item)) { | ||
| 34 | -- | 76 | -- |
| 35 | 2.24.1 | 77 | 2.30.2 |
| 36 | 78 | diff view generated by jsdifflib |
New patch | |||
|---|---|---|---|
| 1 | From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
| 1 | 2 | ||
| 3 | Check that we can't remove bitmaps being migrated on destination vm. | ||
| 4 | The new check proves that previous commit helps. | ||
| 5 | |||
| 6 | Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
| 7 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 8 | Message-Id: <20210322094906.5079-3-vsementsov@virtuozzo.com> | ||
| 9 | --- | ||
| 10 | tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | 10 ++++++++++ | ||
| 11 | 1 file changed, 10 insertions(+) | ||
| 12 | |||
| 13 | diff --git a/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test b/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | ||
| 14 | index XXXXXXX..XXXXXXX 100755 | ||
| 15 | --- a/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | ||
| 16 | +++ b/tests/qemu-iotests/tests/migrate-bitmaps-postcopy-test | ||
| 17 | @@ -XXX,XX +XXX,XX @@ class TestDirtyBitmapPostcopyMigration(iotests.QMPTestCase): | ||
| 18 | self.start_postcopy() | ||
| 19 | |||
| 20 | self.vm_b_events += self.vm_b.get_qmp_events() | ||
| 21 | + | ||
| 22 | + # While being here, let's check that we can't remove in-flight bitmaps. | ||
| 23 | + for vm in (self.vm_a, self.vm_b): | ||
| 24 | + for i in range(0, nb_bitmaps): | ||
| 25 | + result = vm.qmp('block-dirty-bitmap-remove', node='drive0', | ||
| 26 | + name=f'bitmap{i}') | ||
| 27 | + self.assert_qmp(result, 'error/desc', | ||
| 28 | + f"Bitmap 'bitmap{i}' is currently in use by " | ||
| 29 | + "another operation and cannot be used") | ||
| 30 | + | ||
| 31 | self.vm_b.shutdown() | ||
| 32 | # recreate vm_b, so there is no incoming option, which prevents | ||
| 33 | # loading bitmaps from disk | ||
| 34 | -- | ||
| 35 | 2.30.2 | ||
| 36 | diff view generated by jsdifflib |